Re: [libvirt] How to prevent libvirt from adding iptables rules?

(sorry, Daniel... I had only answered you instead of copying the list also)
Daniel P. Berrange escribió el 01/04/09 09:41:
> On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
>
>> At first I used the 'default' network (with a different rfc1918
>> network)... everything was kinda working until I rebooted the host... at
>> that point I lost connectivity between the outside world and the VMs.
>> From inside the host I had no trouble connecting to the VMs.
>>
>> If I restarted shorewall (which actually cleans all iptables rules and
>> regenerate them according to its configuration) everything works fine.
>> After sending a report and some debugging in the shorewall mailing list,
>> it was clear that libvirt was adding rules to iptables.
>>
>
> Yes, the libvirt virtual network capability adds iptables to control
> traffic to/from the virtual network.
>
>
>> After reading a bit
>> (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new
>> network called "isolated". I stopped default (and disabled its
>> autostart), and defined and started isolated.
>>
>> This is the content of isolated.xml:
>> <network>
>> <name>isolated</name>
>> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
>> <bridge name='virbr%d' stp='on' forwardDelay='0' />
>> <ip address='10.3.14.1' netmask='255.255.255.0'>
>> <dhcp>
>> <range start='10.3.14.128' end='10.3.14.254' />
>> </dhcp>
>> </ip>
>> </network>
>>
>> I modified my VMs to use isolated rather than default, but rules keep
>> being added to iptables when libvirt-bin is started.
>>
>> Is there a way to convince libvirt not to add these rules?
>>
>
> No, libvirt needs to add the rules here because otherwise the guest
> virtual network would not be guarenteed to be isolated from the host
> network.
>
> If this is a problem, then the best bet is to not use the virtual
> network capability. Instead create a bridge device yourself using
> distro network scripts, and do whatever routing/firewalling setup
> you need for shorwall to work
>
> Daniel
>
I see.. so I can't just ask libvirt to create the bridge for me and not
touch iptables rules... I chose "isolated" just hoping that would be
the way of preventing the addition of iptables rules...
The problem at this time is that, other than the rules I see libvirt
adds are conflicting with my rules (since they are inserted at the top
of INPUT and FORWARD before mine):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53
0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:53
0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:67
0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:67
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- vnet0 vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
- 0 0 REJECT all -- * vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable
- 0 0 REJECT all -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable
Well... for the time being, I think I'll add a "shorewall restart" at
the end of rc.local which will kill these rules and leave only the ones
that shorewall generates...
--
Mariano Absatz - "El Baby"
el baby gmail com
www.clueless.com.ar
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Light travels faster than sound. This is why some
people appear bright until you hear them speak.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org